User Tools

Site Tools


social_engineering

Social engineering

Intro

Social engineering uses psychological manipulation to trick the target into revealing information, often without realizing it. Without proper training, social engineering is considered one of the biggest security threats to a company. By knowing how humans normally act or respond to certain conditions, an attacker can create a situation where they are given access to a prohibited area or be told confidential information. It is common to use peoples natural helpfulness, along with temping a person through vanity, authority, or information found online.

Principles of Influence

Most humans have specific psychotic attributes known as cognitive biases, which can be used to convince people to act or react the way the attacker wants them to. There are six main principles of influence that can be used in different combinations to exploit others.

  • Reciprocity- people tend to feel obligated to return a favor. If you hold a door for them, they will try to do the same for you in the future.
  • Commitment and consistency- when someone agrees to something to appeal to their self image, they will often follow through with it, even when the incentive is taken away. One example of this is website popups making the closing option say “No thanks, I do not want to save money” or “I'll sign up later”.
  • Social proof- the concept that people will follow their perceived social norm and do what others are doing. For example, a person goes into a room of strangers who, when a bell is rang, switch between sitting and standing. The vast majority of the time, the new person will conform to what everyone else is doing, even once everyone else has left the room.
  • Authority- one will obey authority figures, even with no previous experience or if they are asked to do an immoral thing.
  • Liking- a person is often easily persuaded by people they like, admire, or want to impress.
  • Scarcity- people are more likely to act without thinking when they think it is for a limited time.

Types of Social Engineering Attacks

There are infinite ways to use social engineering, but here are some of the most common and powerful types to take note of.

  • Pretexting- makes up a circumstance that encourages the victim to provide sensitive information. This is often an elaborate and researched lie where the attacker has information that makes the victim trust him or her, such as birthday, healthcare provider, or last bill amount. This can be used to gain company details from an employee or customer information from a business.
  • Phishing- perhaps the most common, phishing is when the attacker pretends to be someone they are not, often someone the victim trusts, asking for verification or giving time sensitive offers. These emails are usually designed to make the victim act rashly without verifying the sender. They may also send you a link to a website that is fabricated to look exactly like a site they have seen before, prompting the victim to enter passwords or other personal information.
  • Vishing- “voice phishing” is commonly a phone call that attempts to get private information for the purpose of financial gain. It is often used in reconnaissance to obtain a more detailed idea about the target.
  • Smishing- using text messages or SMS’s to guide the victim in a particular course of action, usually clicking on a malicious link. For example, pretending to be from the phone company, saying they have run out of data and to click the link to get more, or claiming they are from UPS and the victims package is in transfer, providing a “tracking code”.
  • Baiting- attackers convince a person to put a device containing malware themselves. Often by leaving a USB flash drive in public for someone to pick up.

Tailgating- following close behind a person who is going into a restricted area by depending on the victim to follow common courtesy and hold the door open for the attacker. Another example of tailgating is asking to borrow a phone for a quick call and installing malware onto it instead.

Prevention

Some protective measures organizations can take to reduce their security risks include training employees, marking sensitive information, security protocols, and establishing frameworks of trust between employees.

social_engineering.txt · Last modified: 2021/03/28 21:31 by alec